Skip to main content
  1. Home
  2. Computing
  3. News

Google found another critical security flaw in Microsoft Edge

By

Google’s Project Zero disclosed a software vulnerability in Microsoft’s Edge browser over the weekend. The flaw was first reported privately but after Microsoft failed to patch the issue in time, Google’s Project Zero team revealed the technical details of the vulnerability along with Microsoft’s response.

Let’s be clear though, this security vulnerability isn’t the kind of thing you need to run out and uninstall Edge over. Chances are you’re using a different browser anyway, but until it’s fixed maybe stick to Chrome or Firefox. The vulnerability itself establishes a workaround for one of Edge’s built-in security countermeasures, Arbitrary Code Guard (ACG). Sidestepping ACG, Google security researcher Ivan Fratric found a way to load unsigned code into memory from malicious website accessed via Microsoft Edge.

Recommended Videos

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team is positive that this will be ready to ship on March 13th,” Microsoft replied to Fratric’s disclosure.

Related

However, Microsoft added, the complexity of the fix has made it difficult to nail down a fixed date for release. Microsoft is reportedly aiming for a mid-March release for the patch, but it’s unclear if the company will make that self-imposed deadline.

We’re only hearing about this now because of Google Project Zero’s security vulnerability policy. When Project Zero discovers a vulnerability, the team reaches out privately to the manufacturer of the product — in this case, Microsoft — giving the manufacturer 90 days to get a fix together before they disclose the vulnerability to the public. This particular disclosure is unlikely to make anyone in Microsoft’s Redmond, Washington, headquarters particularly happy.

As Engadget points out, it’s not the first time Google’s exploit-finding-team has rubbed Microsoft the wrong way. Google and Microsoft have all but come to blows over these disclosures in the past, with each company taking pains to poke holes in the other’s products in order to promote their own. That doesn’t appear to be the case here but it is unlikely anyone at Microsoft is going to look favorably upon this security vulnerability being thrust into the spotlight.

Editors’ Recommendations

Topics
Jayce Wagner
Jayce Wagner
Former Digital Trends Contributor
A staff writer for the Computing section, Jayce covers a little bit of everything -- hardware, gaming, and occasionally VR.
Microsoft Copilot now has a voice and can ‘see what you see’ on the internet
Microsoft CEO Satya Nadella announces updates to the company's Copilot artificial intelligence (AI) tool.

You might want to start treating your web browser like you're always at work, at least if you want to use Microsoft's new Copilot Vision feature. The feature, which is natively built into Microsoft Edge, is able to "see what you see, and hear what you hear" as you navigate your browser, according to Microsoft's Executive Vice President Yusuf Mehdi.

All of this AI snooping isn't for nothing. Copilot Vision looks at what you're doing online to answer questions, provide recommendations, and summarize content. It can work with the new Copilot Voice feature, for example. Microsoft demoed the capabilities on Rotten Tomatoes, showing a user chatting with Copilot while browsing the website and looking for movie recommendations. Ultimately, Copilot settled on an Australian comedy for the Australian speaker, saying it made the choice because, "well, you're Australian." I guess that's taking personal context into account.

Read more
Microsoft outlines Recall security: ‘The user is always in control’
Recall promotional image.

Microsoft just released an update regarding the security and privacy protection in Recall. The blog post outlines the measures Microsoft is taking to prevent a data privacy disaster, including security architecture and technical controls. A lot of the features highlight that Recall is optional, and that's despite the fact that Microsoft recently confirmed that it cannot be uninstalled.

Microsoft's post is lengthy and covers just about every aspect of the security challenges that its new AI assistant has to face. One of the key design principles is that "the user is always in control." Users will be given the choice of whether they want to opt in and use Recall when setting up their new Copilot+ PC.

Read more
Google Chrome may start resurfacing tabs from your other devices
Google Chrome browser running on Android Automotive in a car.

Google has announced that it is currently "experimenting" with a feature that suggests pages to you based on open tabs from other devices. Chrome is already handy at picking up where you left off on other devices through tab syncing. To bolster this seamless handoff between devices, this potential new feature will serve up these tabs.

Google didn't detail exactly how this would look, but the blog post reads that it would "proactively suggest pages" on the Chrome New Tab page. Right now, this page is filled with quick links to your most viewed websites and hand-picked shortcuts. For what it's worth, to me this seems like a convenient place to put these tabs.

Read more